Businesses demand stronger app security

There is now greater reliance on mobile, web and desktop applications within businesses than ever, but many companies are still looking for stronger data security in apps before they start leaning on them more heavily in their operations. CSO's Antone Gonsalves said implementing security has never been the top priority in app development, but there is now more pressure starting to build from organizations who want to see better frameworks for secure programming. The website noted one example of security already becoming a priority, as Oracle's Java app, notorious for featuring vulnerabilities, will be delayed for a major upgrade due to work on plugging up holes.

Making sure security is a priority in the starting point of development can lead to fewer holes for hackers to take advantage of, according to what experts have said. This means fewer patches and higher quality software, something Jeremiah Grossman, chief technology officer for consulting firm WhiteHat Security, said is necessary.

Over the years, developers have seemed to avoid the additional costs and resources of making sure security is implemented from the start, as Gonsalves said there has a prioritization of performance over security. Now, more threats exist in the cyber world than ever before and there must be more protection for companies, as they have a greater amount of sensitive information online. Matthew Neely, director of research and development for consulting firm SecureState, said especially for larger businesses, there is more demand than ever for the applications and software used to be secured from the start. However, it may still take a bit of time to have the same level of security for smaller organizations.

"Getting it past the medium to the small companies is going to be hard, because of the resources required to put people in to do the security testing and to train the people," he told CSO Online.

Ensuring apps are built stronger
A recent report from HP found that 69 percent of web applications scanned have at least one SQL injection error and 42 percent had a cross-site scripting vulnerability. Matthew Schwartz, editor of InformationWeek, wrote that it is time for companies to start taking the security in development of applications far more seriously and said it should begin from the birth of the app itself.

Schwartz spoke with Jerry Hoff, VP of the static code analysis division at WhiteHat Security, who gave some tips for having more secure apps and started by saying that user input is not going to be a friend of business when developing apps. He added that organizations need to know which vulnerabilities are out there that have the potential to harm a company and have controls in place in the language the business and its IT department uses.

"If you're working in a particular language – even if you're a manager – you should know the security controls for that platform," said Hoff. "That should be like a seatbelt or airbag that's already built into cars. They should just have that as part of their toolkit."

Other tips from Hoff printed by Schwartz for developing a secure app include:
– Do not write in the security controls within the company unless there is a stated security expert in place
– Be sure to have a security resources that can be used to ensure the app is being secured in the best way possible
– Continuously apply new security controls, as the best way to prevent attacks is to always be on top of the new technology and information that is available

Hoff said every company will have different ways of controlling data security but each needs to figure out its methods and keep up with them as often as possible.